13.7.Â VPN over
IPsec

Written by NikClayton.

Written by Hiten M.Pandya.

Internet Protocol Security (IPsec) is a
set of protocols which sit on top of the Internet Protocol
(IP) layer. It allows two or more hosts to
communicate in a secure manner by authenticating and encrypting
each IP packet of a communication session.
The FreeBSD IPsec network stack is based on the
http://www.kame.net/
implementation and supports both IPv4 and
IPv6 sessions.

IPsec is comprised of the following
sub-protocols:

Encapsulated Security Payload
(ESP): this protocol
protects the IP packet data from third
party interference by encrypting the contents using
symmetric cryptography algorithms such as Blowfish and
3DES.

Authentication Header
(AH): this protocol
protects the IP packet header from third
party interference and spoofing by computing a cryptographic
checksum and hashing the IP packet
header fields with a secure hashing function. This is then
followed by an additional header that contains the hash, to
allow the information in the packet to be
authenticated.

IP Payload Compression Protocol
(IPComp): this protocol
tries to increase communication performance by compressing
the IP payload in order to reduce the
amount of data sent.

These protocols can either be used together or separately,
depending on the environment.

IPsec supports two modes of operation.
The first mode, Transport Mode, protects
communications between two hosts. The second mode,
Tunnel Mode, is used to build virtual
tunnels, commonly known as Virtual Private Networks
(VPNs). Consult ipsec(4) for detailed
information on the IPsec subsystem in
FreeBSD.

IPsec support is enabled by default on
FreeBSDÂ 11 and later. For previous versions of FreeBSD, add
these options to a custom kernel configuration file and rebuild
the kernel using the instructions in ChapterÂ 8, Configuring the FreeBSD Kernel:

options IPSEC #IP security
device crypto

If IPsec debugging support is desired,
the following kernel option should also be added:

options IPSEC_DEBUG #debug for IP security

This rest of this chapter demonstrates the process of
setting up an IPsecVPN
between a home network and a corporate network. In the example
scenario:

Both sites are connected to the Internet through a
gateway that is running FreeBSD.

The gateway on each network has at least one external
IP address. In this example, the
corporate LAN's external
IP address is 172.16.5.4 and the home
LAN's external IP
address is 192.168.1.12.

The internal addresses of the two networks can be either
public or private IP addresses. However,
the address space must not collide. For example, both
networks cannot use 192.168.1.x. In this
example, the corporate LAN's internal
IP address is 10.246.38.1 and the home
LAN's internal IP
address is 10.0.0.5.

13.7.1.Â Configuring a VPN on FreeBSD

Written by TomRhodes.

To begin, security/ipsec-tools must be
installed from the Ports Collection. This software provides a
number of applications which support the configuration.

The next requirement is to create two gif(4)
pseudo-devices which will be used to tunnel packets and allow
both networks to communicate properly. As root, run the following
commands, replacing internal and
external with the real IP
addresses of the internal and external interfaces of the two
gateways:

As expected, both sides have the ability to send and
receive ICMP packets from the privately
configured addresses. Next, both gateways must be told how to
route packets in order to correctly send traffic from either
network. The following commands will achieve this
goal:

Setting up the tunnels is the easy part. Configuring a
secure link is a more in depth process. The following
configuration uses pre-shared (PSK)
RSA keys. Other than the
IP addresses, the
/usr/local/etc/racoon/racoon.conf on both
gateways will be identical and look similar to:

For descriptions of each available option, refer to the
manual page for racoon.conf.

The Security Policy Database (SPD)
needs to be configured so that FreeBSD and
racoon are able to encrypt and
decrypt network traffic between the hosts.

This can be achieved with a shell script, similar to the
following, on the corporate gateway. This file will be used
during system initialization and should be saved as
/usr/local/etc/racoon/setkey.conf.

flush;
spdflush;
# To the home network
spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use;
spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use;

Once in place, racoon may be
started on both gateways using the following command:

At this point, both networks should be available and seem
to be part of the same network. Most likely both networks are
protected by a firewall. To allow traffic to flow between
them, rules need to be added to pass packets. For the
ipfw(8) firewall, add the following lines to the firewall
configuration file:

ipfw add 00201 allow log esp from any to any
ipfw add 00202 allow log ah from any to any
ipfw add 00203 allow log ipencap from any to any
ipfw add 00204 allow log udp from any 500 to any

Note:

The rule numbers may need to be altered depending on the
current host configuration.

For users of pf(4) or ipf(8), the following
rules should do the trick:

pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any port = 500 to any port = 500
pass out quick on gif0 from any to any

Finally, to allow the machine to start support for the
VPN during system initialization, add the
following lines to /etc/rc.conf: